App Security

Security has been getting a lot more attention recently, due to high-profile
attacks that have garnered lots of news coverage. Mobile security is no
different, as app developers have to take into account how to secure
their apps — and, by extension, their users and those users’ data —
from attackers bent on absconding with, or damaging, data.

During this one-day seminar, we will explore the following:

Overview of Android Security

What are the various layers of the Android security model that affect developers?

How does Android use the Linux process model to help secure our apps?

What impacts does this model have on our ability to work with local files?

What is going on with removable media on Android, anyway?

Android’s Permission System

What is Android’s permission system?

How do we declare our wish to hold certain permissions?

How do we know if we hold those permissions?

How do we ask the user to kindly consider granting us those permissions?

How do we define custom permissions, and what are the problems with doing so?

What are some things that are secure, but do not use the standard permission system?

App-Level Data Encryption

Why might we want to encrypt our local data?

What is SQLCipher for Android?

How can we use SQLCipher for Android as an encrypted replacement for standard SQLite?

How can we encrypt other sorts of files?

What about Facebook’s Conceal library?

Where do we get our encryption passphrase from?

What is Android’s keystore, and how can we use it to help with encrypting user data?

How can we use two-factor authentication, such as fingerprints, to tie into our encryption process?

Defending App APIs and UIs

What are our app’s APIs?

When are components exported, and when are they not exported?

How do I secure my components with permissions?

How do I grant temporary access to my ContentProvider, while normally keeping it secured?

How can my components — or the components that my app talks to — be spoofed?

How can I check signatures of apps to determine if the partner app is what I think it is?

What was the tapjacking attack, and what is the activityjack attack?

What is the camera peeking attack?

How do I defend against screenshots?

How do I “defend” against AccessibilityService? NotificationListenerService? Autofill?

SSL

How can I use SSL on Android?

Why might I want to use a self-signed certificate, and how can I use one on Android?

What is “pinning” with regards to SSL, and how can I employ it in Android?

What is “memorization” with regards to SSL, and how can I employ it in Android?

How can I deal with revoked SSL certificates, as we encountered with Heartbleed?